Concrete5.7 setup for HTTPS or SSL access
Permalink 2 users found helpful
Hi Guys,
Our website is running Concrete 5.7 and we have setup our .htaccess to force our traffic on to HTTPS (secure) which is all working great, but there are a few things that are not right and I'm not sure the correct way to resolve them.
We have mixed content issues on some pages however.
CSS
Even though the page is loaded over HTTPS any Concrete5 generated styling for Layouts etc.. is included as http which clearly breaks on most modern browsers. And that styling isn't included.
<link href="http://www.mywebsite.com/ccm/system/css/layout/6/" rel="stylesheet" type="text/css" media="all">
LOGIN PAGE
When we browse tohttp://www.mywebsite.com/login the login form actually submits to a non secure URL. How do we fix this?
Concrete5 FORM Blocks.
All form blocks also redirect to non secure urls. Safari now alerts this to the user on submit which isn't a great experience!
I have "hacked" the core code to get around a few of these issues, but would love to know what the actual way is to set this up?
Thanks for your help in advance.
Richard.
Our website is running Concrete 5.7 and we have setup our .htaccess to force our traffic on to HTTPS (secure) which is all working great, but there are a few things that are not right and I'm not sure the correct way to resolve them.
We have mixed content issues on some pages however.
CSS
Even though the page is loaded over HTTPS any Concrete5 generated styling for Layouts etc.. is included as http which clearly breaks on most modern browsers. And that styling isn't included.
<link href="http://www.mywebsite.com/ccm/system/css/layout/6/" rel="stylesheet" type="text/css" media="all">
LOGIN PAGE
When we browse tohttp://www.mywebsite.com/login the login form actually submits to a non secure URL. How do we fix this?
Concrete5 FORM Blocks.
All form blocks also redirect to non secure urls. Safari now alerts this to the user on submit which isn't a great experience!
I have "hacked" the core code to get around a few of these issues, but would love to know what the actual way is to set this up?
Thanks for your help in advance.
Richard.
Hi Moosh,
Yes we have https version set for the "SSL URL" field.
I can't set the https:// url into the Canonical URL field as I get the following error. (attached)
Richard.
Yes we have https version set for the "SSL URL" field.
I can't set the https:// url into the Canonical URL field as I get the following error. (attached)
Richard.
I had the same issue with a fresh install of 5.7.5.7 and HTTPS. Styles breaking, right-hand menu randomly (but not always) degrading, login cookies doing funky things, etc.
Mine was even worse because I set up the SSL certificate and redirect on my web host (Nearlyfreespeech) before I even ran the install scripts, since I was running them over the open Internet and ***didn't want to pass my database and admin passwords over plaintext. Are you listening, developers?*** The install script got stuck in several places, and I was eventually forced to do it over HTTP and change passwords afterwards.
Anyway, the fix for me has been to set BOTH the Canonical URL and SSL URL to the https:// address. The web interface will not allow you to do this, but you can force the change by editing
and setting both and to the https:// address. The comments at the top of the file say not to edit it directly, but nobody has sued me yet...
I love C5 and have used it for years, but I'm very disappointed that the touted 5.7 doesn't work out of the box with with TLS. In this post-Snowden age, encryption should be a default! Apologies for using TLS, HTTPS, and SSL interchangeably. I don't know which words to use where, but I'm hoping to make this post show up in search results.
Mine was even worse because I set up the SSL certificate and redirect on my web host (Nearlyfreespeech) before I even ran the install scripts, since I was running them over the open Internet and ***didn't want to pass my database and admin passwords over plaintext. Are you listening, developers?*** The install script got stuck in several places, and I was eventually forced to do it over HTTP and change passwords afterwards.
Anyway, the fix for me has been to set BOTH the Canonical URL and SSL URL to the https:// address. The web interface will not allow you to do this, but you can force the change by editing
public/application/config/generated_overrides/concrete.php
and setting both
canonical_url
canonical_ssl_url
I love C5 and have used it for years, but I'm very disappointed that the touted 5.7 doesn't work out of the box with with TLS. In this post-Snowden age, encryption should be a default! Apologies for using TLS, HTTPS, and SSL interchangeably. I don't know which words to use where, but I'm hoping to make this post show up in search results.
I also have similar problem. Even after I change Canonical and ssl url from dashboardnya. Everytime I browse to my site, it always open http, not https. Not sure if it come from server side, because I have another WP site and work ok.
I read from some web to include
On .htaccess, but when I did that, seems my site is not working correctly
I read from some web to include
RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
On .htaccess, but when I did that, seems my site is not working correctly
Which version are you using?
Update might resolve the issue.
Update might resolve the issue.
Hi Hissy,
We are using Concrete 5.7.5.2
Thoughts?
We are using Concrete 5.7.5.2
Thoughts?
Hello.
We have the same Problem. We forced https via htacces and edited the settings in SEO-URL configuration, but all forms on the page and the backend dashboard still try to load via http. So the backend and register-/login-forms don't work anymore.
I think this is a serious problem. Please solve it. In other systems, you can just switch "force ssh" on in the backend and everything works fine.
We have the same Problem. We forced https via htacces and edited the settings in SEO-URL configuration, but all forms on the page and the backend dashboard still try to load via http. So the backend and register-/login-forms don't work anymore.
I think this is a serious problem. Please solve it. In other systems, you can just switch "force ssh" on in the backend and everything works fine.
kenjihonma, did you try my solution, above, specifically editing the SEO-URL settings manually? I'm curious as to whether my solution works for others, or if I've got something funky going on in my environment. (^_^)
I tried it and it didn't work. After i added it to the generated overrides, all backend-settings were deleted.
It also didnt work for me
Hi there,
I thought I'd update everyone on where I got to with this.
We use cloudflare to serve our SSL cert and force our traffic to be SSL. Setting the SEO canonical url in /application/config/concrete.php ended up causing a redirect loop for us, but I think this would probably fix the issue for most:
.
Fore the issues around the CSS files being included insecure, I ended up hacking the core code.
/concrete/src/Asset/CssAsset.php
LINE 182 __toString function..
.
Hope this helps someone..
I thought I'd update everyone on where I got to with this.
We use cloudflare to serve our SSL cert and force our traffic to be SSL. Setting the SEO canonical url in /application/config/concrete.php ended up causing a redirect loop for us, but I think this would probably fix the issue for most:
'seo' => array( 'canonical_url' => 'https://www.mywebsite.com', 'trailing_slash' => true, 'url_rewriting_all' => true ),
Fore the issues around the CSS files being included insecure, I ended up hacking the core code.
/concrete/src/Asset/CssAsset.php
LINE 182 __toString function..
public function __toString() { $assetURL = $this->getAssetURL(); if(!DEVELOPMENT){ $assetURL = str_replace('http://', 'https://', $assetURL);//fix this on production! } $e = new HeadLink($assetURL, 'stylesheet', 'text/css', 'all'); if (count($this->combinedAssetSourceFiles)) { $source = ''; foreach ($this->combinedAssetSourceFiles as $file) { $source .= $file.' '; } $source = trim($source); $e->setAttribute('data-source', $source); }
Viewing 15 lines of 17 lines. View entire code block.
Hope this helps someone..
Hi all,
I'm having the same issue and have tried all of the suggestions available on this feed.
I'm running 5.7.5.9 and a lot of the css doesn't render properly and some of the images don't show up, yet some of them do?
Any thoughts on that?
Thank you
I'm having the same issue and have tried all of the suggestions available on this feed.
I'm running 5.7.5.9 and a lot of the css doesn't render properly and some of the images don't show up, yet some of them do?
Any thoughts on that?
Thank you
This is ridiculous. Is there an -actual- solution for this coming? This should literally be a checkmark in the dashboard somewhere, not having to go edit more files manually.
When 5.7 is as rough as it is, why in the world are we rushing like h*ll to get 5.8 rushed out?
When 5.7 is as rough as it is, why in the world are we rushing like h*ll to get 5.8 rushed out?
Agreed, there are some things that really should be just check boxes and not 'build from scratch' type options in the system.
Yes totally agree..
The issue is that most developers will build a site on their local which generally is http, then it's not until it goes live on the server that it is needed to be https and you discover all these issues.
The issue is that most developers will build a site on their local which generally is http, then it's not until it goes live on the server that it is needed to be https and you discover all these issues.
Hello,
I am also having trouble. I recently installed SSL certificate and now I cannot log in to my website. I am not a developer and I need help resolving this issue.
I am also having trouble. I recently installed SSL certificate and now I cannot log in to my website. I am not a developer and I need help resolving this issue.
Same issue for me. Has anyone come up with a non-hack-the-code way to get it to force to HTTPS?
I use this in my .htaccess:
And it works just fine for me. Has nothing to do with Cloudflare and CDN stuff, just SSL.
And of course you need to set the base url right in dashboard.
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_HOST} ^(www\.)(.+) [OR] RewriteCond %{HTTPS} off RewriteCond %{HTTP_HOST} ^(www\.)?(.+) RewriteRule ^ https://%2%{REQUEST_URI} [R=301,L] RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME}/index.html !-f RewriteCond %{REQUEST_FILENAME}/index.php !-f RewriteRule . index.php [L] </IfModule>
And it works just fine for me. Has nothing to do with Cloudflare and CDN stuff, just SSL.
And of course you need to set the base url right in dashboard.
"And of course you need to set the base url right in dashboard."
What exactly does that mean? Set the canonical URL to the http:// & https://?
What exactly does that mean? Set the canonical URL to the http:// & https://?
Set the two canonical fields to your https URL in /application/config/generated_overrides/concrete.php as follows
...then add the above rewrite rules to your .htaccess file. It works fine for me :)
'seo' => array( 'canonical_url' => 'https://yourdomain.co.uk', 'canonical_ssl_url' => 'https://yourdomain.co.uk', 'redirect_to_canonical_url' => 1, 'url_rewriting' => 1, ),
...then add the above rewrite rules to your .htaccess file. It works fine for me :)
Anyone else think this is ridiculous? Why do I need to go hardcode things like this? Why in the h311 is there two settings for the canonical URL?
No, no, no - the warning at the top of the files in generated_overrides/* are there for a reason. These should go in application/config/concrete.php instead.
Please see my reply to this post:
https://www.concrete5.org/community/forums/customizing_c5/how-to-for...
Please see my reply to this post:
https://www.concrete5.org/community/forums/customizing_c5/how-to-for...
Did you tried to go to "URLs & Redirection" settings and setup canonical urls ?
If you put https://... for the both fields, I think https will be forced.
moosh